FTP server behind Net Firewall

Home Forums Discussions Support Portal FTP server behind Net Firewall

This topic contains 4 replies, has 2 voices, and was last updated by  Vadim Smirnov 12 years, 3 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #4921

    Didier
    Participant

    Hi all,

    I am evaluating Net Firewall. I have installed it on a windows 2000 server SP4.
    I have configured it to work with TCS, Web, pop3, smtp, DNS and FTP.
    I have installed too Net Firewall onto my workstation which run onto windows 2000 Pro and I have configured it for the same protocols.
    All works fine except FTP.
    I am using Bullet Pro FTP server 2.1.5 and LeechFTP.
    On my server the rules are:
    FTP Server 5 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 21 Any WAN
    FTP Server 2 6 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 20 Any WAN
    On my workstation the rules are:
    FTP Server 5 ENABLED TCP Any Any Any 21 Any WAN
    FTP Server 2 6 ENABLED TCP Any Any Any 20 Any WAN

    Authentification is OK but the dir list return nothing.
    In the logs of the 2 machines I can see traffic allowed for port 21, on the server I can see traffic port 20 allowed but nothing about port 20 on my workstation (blocked or allowed).

    Have any idea about that?

    Thanks for your help

    #5730

    Vadim Smirnov
    Moderator

    I’m not sure but I think the problem is that LeechFTP uses passive FTP mode (bot connections are established by client).

    In this case:

    1) client sends command PASV to server.
    2) server start listening newly allocated port and responses with command PORT with its number.
    3) client connects to this port => data channel is established.

    I would recommend you to try some other FTP clients to check this issue, an example integrated into Windows http://ftp.exe. If I remember fine then explorer and IE also uses passive mode by default, but http://ftp.exe does not.

    #5731

    Didier
    Participant

    Well I have tried http://ftp.exe with same result.
    Connection and authentification OK, “dir” does not work.
    The same FTP server product is installed onto our Production Server which is behind an hardware firewall and connection from my workstation with LeechFTP works fine.
    My Development FTP server has the same configuration than the production server.

    All my rules are on the “WAN Network Interface”.

    Is there something wrong?

    Thanks

    #5732

    Didier
    Participant

    I would like explain the configuration.

    We have a windows 2000 server which is used like routeur between the building WAN and our LAN.
    There are 2 network cards into the server.
    Our LAN is used by 3 macintosh workstation and 2 printers.

    So in NeT Firewall Management Console under “Network Interfaces” there are the 2 network cards + “Wan Network Interface”.
    LAN card parameter : Low level
    WAN card parameter : Third level
    Wan Network Interface : High security

    All rules are for any interface
    When WAN card parameter is set to High security there is no access to (for example) the Web. That is like rules cannot be applied.

    Thanks for your help,

    Didier

    #5733

    Vadim Smirnov
    Moderator

    When you set High Security level then only packets are passed only there is a corresponding allow rule exists. So there is no wonder that your packets were blocked.

    If you server works as an Internet Gateway using 3rd Stealth Level for the external card would be enough, by default all outgoing connnections are allowed but all incoming packets are blocked unless they belong to one of the locally established connections. However, this mode is strict enough, so some complex protocols which use multiply streams may have problems with it. If you use any of them you’d better use Stealth Level 2 or even Stealth Level 1.

    High Security level is the best mode for the stand alone server which provides some certain services, like HTTP, FTP, e-mail and etc..

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.